VertiGIS Access Control Proxy Permissions in a highly available portal deployment
We use ArcGIS Enterprise with a high-availability architecture. This means that we have two independent web adapters that control access to the ArcGIS Server Site. The web adapters are distributed on two web servers.
(Image source: https://enterprise.arcgis.com/en/portal/latest/administer/windows/ha-scenarios-web-gis.htm)
Consequently, we also need to install Access Control Proxy twice (Access Control Proxy 1 and Access Control Proxy 2) on the web servers . We will install the Access Control Designer once on a separate web server.
Questions:
a) I define permissions with the Access Control Designer. Where are these permissions stored?
b) How do I ensure that the permissions that I define via Access Control Proxy 1 also apply to Access Control Proxy 2? Is there a way to share the permissions of both Access Control Proxy on one share?
I cannot find any information on these questions in the product information.
Kind regards
Michel Brünisholz
-
Hi Michel Brünisholz thanks for the inquiry and sharing your architecture diagram. We frequently get questions from customers around multi-machine ArcGIS environments and how Access Control (VSAC) can be deployed on them and I have found that having visual references like this helps.
In terms of documentation, there is a Deployment section in the VSAC docs that is relevant here.
I want to highlight this piece:
So, to answer your questions:
a) I define permissions with the Access Control Designer. Where are these permissions stored?
They are stored in config files C:\ProgramData\Geocortex\Access Control. See the Environment Variables docs for more details.
b) How do I ensure that the permissions that I define via Access Control Proxy 1 also apply to Access Control Proxy 2? Is there a way to share the permissions of both Access Control Proxy on one share?
In the context of a multi-machine deployment, such as your dual web adaptor scenario, the typical pattern we see is to deploy VSAC designer & proxy on one server (WebAdaptor1) and VSAC proxy only on the other (WebAdaptor2).
Sharing configuration is accomplished via that SMB network share that both VSAC proxies read from, by setting your APP_DATA_PATH environment variable to target a SMB network share. VSAC designer on WebAdaptor1 writes config to the config store, and both proxies can read from it.
0
Vous devez vous connecter pour laisser un commentaire.
Commentaires
1 commentaire